Being in the UK on of the advantages of using OpenDNS (and OpenDNScrypt) is to avoid UK ISP DNS filtering but I thought the article made some interesting points for those of us outside the US.

Anyone got any thoughts?

One further question - if I am running my own DNS server (on Windows SBS2011) where does the DNS database come from? In setting things up I don't seem to have been asked for any reference DNS site? DOes it generate its own list - if so where does it get the translations from (excuse my ignorance if I am being totally dim).

It seems like specifically he's talking about overseas use. My lookups are actually faster and the speed has noticeably increased since I switched. It would seem that there needs to be such an option for overseas use, i.e. if google would put DNS servers also in the UK or there was an alternative to OpenDNS that operated out of the UK/Europe.

1. For testing, you could try giving GRC's DNS Benchmark utility a shot.

Since you're in Europe, you'll want to allow it to build a custom DNS server list for you. The default one supplied is optimized for US users so it's skewed to use US based DNS servers. It takes about a half hour for it to build a table after querying all 4000+ recognized nameservers worldwide. And it's a one-shot thing. Once it has the table it just reuses it. Subsequent tests go much faster after that. Info and download here.

2. Your DNS server gets its info from an authoritative domain name server of which there are many up on the internet. It's a decentralized system (like the rest of the Internet) so there's no one single place where all the data is stored. This is one reason why, if you switch a host, it may be a day or so before everybody gets correctly redirected to your new host. It takes time for the change to percolate and replicate throughout the DNS system. Most DNS changes can take between a few hours and a day before every DNS server is carrying the correct address. There are also premium DNS listing services that will push DNS changes through the system more quickly if you're running a site (i.e. commerce) that can't afford to wait. Very similar to how Windows Server's Active Directory works on a multi-server corporate network.

This webpage has a quick rundown of what happens when you make a DNS query. It explains where root, top-level domain, and authoritative and recursive nameservers come into play to process your request.

So I guess you could say your DNS server ultimately gets its information from the Internet itself.

One further question - if I am running my own DNS server (on Windows SBS2011) where does the DNS database come from? In setting things up I don't seem to have been asked for any reference DNS site? DOes it generate its own list - if so where does it get the translations from (excuse my ignorance if I am being totally dim).

(40Hz beat me to it, but I'll add this anyway) By default an Windows DNS server will forward external DNS requests to the internet root (DNS) servers. So if you want to use an internal DNS server - like for a domain environment - you would configure all client machines to use the internal DNS server only. Then in the forwarders tab if the DNS server configuration dialog you would add the OpenDNS servers ... Which will cause the server to stop sending requests to the root servers, and forward all resolution requests to the specified servers.

I've been using the OpenDNS servers for all of the networks managed by our company for a year or so and have absolutely zero complaints.

I would recommend using BIND9 as the DNS resolver instead of the Windows one as the Linux version will have a slightly higher stability and performance. But the Windows DNS service is fully functional if you don't already have a Linux server to put it on. The network where I work at actually uses both side by side for reliability, that way if I botch one of the configs while working on it the workstations will automatically fail over to the other server.

Also, configuring forwarders is not necessary unless you already have DNS servers upstream that you want to relay to. By default Windows and Linux DNS servers when performing a recursive lookup for a client will perform the complete lookup themselves without having to forward upstream. You will want to configure your DHCP server to advertise your DNS servers though instead of alternative servers, and if you want to enforce only your servers use a firewall to block DNS requests going anywhere other than to or from your DNS server.

Oh and be very careful- make sure your server only performs recursive requests for LAN clients. If you allow it to recurse over the WAN, it can be used to launch DDoS attacks via a very serious exploit in the DNS recursion mechanism. Good firewalling is helpful, but the best way is to configure the server's access controls so that only your LAN is allowed to use it for recursion.

But the way a server performs a DNS lookup is this:

- Check if the server is authoritative for the requested info. If so, return records on hand.- Check if the server has a cached response for that info. By default lookups are cached so that successive requests can used cached data until the TTL expires. - Contact the root servers for that TLD. Each country has a root mirror group, routes to which are configured using a combination of multicast and anycast addressing along with some route manipulation so that you will almost always hit a nearby root mirror. The root servers return the nameserver records for the second level domain name.

Contact the nameservers obtained from the root server and retrieve the corresponding records from them, which are returned to the client and also cached so that future requests for the same info can be sped up using the cached data- until the TTL expires.

By default what a forwarder config does is makes it so that instead of going to the root servers, it simply hands off the query to an upstream server. This will actually make your DNS slower than just looking it up yourself, but as some ISPs traffic shape DNS it may be necessary for reliable DNS resolution.

What running your own DNS server does though is makes it so that you are only vulnerable to censorship at the root servers, your server contains a default root server list when installed and it is recommended to update the root list every 6 months or so just in case. Public DNS servers and ISP DNS servers are often censored by DNS poisoning- inserting false records for certain sites in order to make them inaccessible. For instance if I wanted to block hotmail.com on a company's LAN, all I would have to do is create an A-record on the DNS resolver for that company that points requests for *.hotmail.com to 127.0.0.1. Clients would then be unable to access hotmail unless they were using a different DNS resolver, or bypassing the main resolver entirely and looking up their own from the roots.

Being in the UK on of the advantages of using OpenDNS (and OpenDNScrypt) is to avoid UK ISP DNS filtering but I thought the article made some interesting points for those of us outside the US.

According to OpenDNS they have a datacentre in London and:

Quote

Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you.

So in theory, you don't need to use OpenDNScrypt, just setting your DNS IPs to OpenDNS should bypass any IP filtering done by your ISPs DNS, you'll be routed to OpenDNS' London datacentre.

FWIW, I run my own DNS purely because it's faster, (even for uncached fetches generally), and I don't have to rely on someone else's, (which was a problem at a couple of my previous ISPs).